JP5447544B2 - Consignment parameter information generation device, shared key composition device, signature information composition device, communication device, key sharing computation-commission device, signature information generation computation-commission device, computation-commission device, key sharing system, signature information verification system, and communication system - Google Patents

Description

  The present invention relates to a delegation parameter information generating apparatus, a shared key synthesizing apparatus, a signature information synthesizing apparatus, a communication apparatus, a key sharing computed entrusting apparatus, a signature information generating computed entrusting apparatus, a computed entrusting apparatus, a key sharing system, and a signature information verification. With respect to the system and the communication system, for example, a part of calculation of key exchange processing and authentication processing can be applied when the calculation-commissioned device safely processes on behalf of the communication device.

  For example, in order to use sensors in the social infrastructure field where high reliability and quality are required, such as disaster prevention monitoring, traffic control, and finance, between a communication device such as a service providing server and a communication device such as a sensor. It is necessary to maintain the safety of communication.

  In order for a communication device such as a sensor to secure a secure end-to-end communication path with a communication device such as a service providing server, authentication, key exchange, etc. End-to-end information exchange is required.

  Here, consider a case where communication devices such as sensors form a power-saving multi-hop network. The power-saving multi-hop network is a network that suppresses power consumption by sleeping when each communication device such as a sensor delivers data by a bucket relay method and does not participate in data delivery.

  For example, when a large number of communication devices such as sensors are deployed over a wide area and it is desired to secure an end-to-end safe communication path between each communication device and a communication device such as a server on the Internet, End-to-end information exchange may cause problems such as congestion in a power-saving multi-hop network, increased power consumption, and increased processing time.

  As a prior art that can cope with the above-mentioned problems, Patent Document 1 discloses that end-to-end key exchange processing required for IPsec (Security Architecture for Internet Protocol) is applied to a mobile phone or PDA that is required to be reduced in size and weight. Since it is difficult to introduce, there has been proposed a method for reducing the load on the terminal by delegating key exchange processing to a device on the upper network side.

JP 2004-128782 A

  However, in the technology described in Patent Document 1 described above, it is necessary to deposit secret information such as its own authentication key in the proxy device in order to have the device on the higher network side perform the key exchange processing. In addition, the technique described in Patent Document 1 described above needs to have the shared key calculated on the proxy device side.

  For example, when assuming a proxy device on a network using a cloud environment, or when using a plurality of proxy devices, from the viewpoint of reliability of maintenance of confidential information to the proxy device, the proxy device other than the proxy device itself It is not very desirable to handle confidential information related to other communication devices.

  Therefore, from the viewpoint of the reliability of maintenance of confidential information to the proxy device, a delegated parameter information generation device and a shared key synthesis device that can perform key exchange processing / authentication processing related to communication between communication devices on behalf of the communication device There is a need for a signature information composition device, a communication device, a key sharing computed entrusting device, a signature information generation computed entrusting device, a computed entrusting device, a key sharing system, a signature information verification system, and a communication system.

In order to solve such a problem, the consignment parameter information generation device of the first aspect of the present invention includes a first storage unit that stores secret key information, a second storage unit that stores first public key information, Third storage means for storing N pieces of public key information from 2nd to (N + 1) th, integer division means for dividing the secret key information of the first storage means into N partial secret key information, and a cyclic group Are combined with the unit elements of the predetermined cyclic group by an operator defined in the cyclic group by the number given by the predetermined integer, and the secret key information of the first storage means, First calculation means for performing calculation processing based on each public key information read one by one from N pieces of public key information in the third storage means, and calculation results of the first calculation means from the first The key conversion means for converting to N pieces of common key information up to the Nth, and the unit element of the cyclic group, The elements of the cyclic group are combined by an operator defined in the cyclic group by the number given by a predetermined integer, and the N partial secret key information and the second storage means 2nd computing means for obtaining N partial shared key calculation parameters from 1st to Nth based on 1 public key information, and jth common key information of N pieces of common key information Is used as key information, and the bit string representation of the corresponding j-th partial shared key calculation parameter is encrypted as the bit string to be encrypted to generate the j-th delegation parameter information, and the first to Nth delegation parameters consignment parameter information generating device of the second present invention, characterized in that it comprises encryption means for generating an information stores a first storage means for storing the secret key information, the first public key information Second storage means and second to second A third storage means for storing N public key information up to +1, an integer dividing means for dividing the secret key information of the first storage means into N partial secret key information, and a unit element of the cyclic group The elements of the predetermined cyclic group are combined by an operator defined in the cyclic group by the number given by the predetermined integer, and the secret key information of the first storage means and the third storage First arithmetic means for performing arithmetic processing based on each public key information read one by one from the N public key information of the means, and the arithmetic results of the first arithmetic means are expressed as first to Nth Key conversion means for converting into N pieces of common key information, and j-th common key information of the N pieces of common key information as key information, and a bit string representation of the corresponding j-th partial secret key information is encrypted The jth delegation parameter information is generated by encrypting as a bit string to be encrypted, and the first Characterized in that it comprises an encryption means for generating a consignment parameters of La to the N-th.

  A communication apparatus according to a third aspect of the present invention includes transmission / reception means and entrustment parameter information generation means corresponding to the entrustment parameter information generation apparatus according to the first aspect of the present invention.

  According to a fourth aspect of the present invention, there is provided a shared key synthesizing apparatus that inputs a pre-shared key information storage unit that stores pre-shared key information and N integers encrypted with the pre-shared key information. Decrypting N integers with pre-shared key information to obtain N pieces of partial information, and combining N pieces of partial information decrypted by the decoding means with a predetermined operation to obtain predetermined secret information Means.

According to a fifth aspect of the present invention, there is provided a signature information synthesizing device, a storage unit that stores preset pre-shared key information and secret key information, a decoding unit that decrypts information encrypted with the pre-shared key information, N The partial digital signature parameter information is summed in a finite field consisting of a set (0, 1,..., N−1) with respect to the order n of a predetermined cyclic group, and the sum of the finite field of the sum is obtained. Finding the inverse element in the multiplicative group, and multiplying the inverse element by a value obtained by adding the product of the secret key information and the digital signature first parameter information to the product obtained by replacing an arbitrary hash value with the element of the finite field Calculating means for obtaining the second parameter information of the digital signature obtained by the decryption means, wherein the decrypting means receives the encrypted N pieces of partial digital signature parameter information and decrypts them with the pre-shared key information. But in the decryption means The N partial digital signature parameter information decoded is received, the first digital signature parameter information is received from a predetermined interface, and the N partial digital signature parameter information is combined by a predetermined operation to obtain the digital signature parameter information. The digital signature second parameter information is calculated based on the digital signature parameter information, the digital signature first parameter information, the predetermined hash value, and the secret key information.

According to a sixth aspect of the present invention, there is provided a signature information synthesizing device comprising: storage means for storing preset pre-shared key information; decryption means for decoding information encrypted with the pre-shared key information; and N partial digital signatures Computation means for computing digital signature information by combining the information with computation defined in a predetermined group, and decryption means for storing N pieces of partial shared key information encrypted with pre-shared key information in the storage means The decryption is performed using the stored pre-shared key information, and the computing means combines N partial digital signature information to obtain digital signature information.

  A communication apparatus according to a seventh aspect of the present invention is a transmission / reception means, a shared key composition means corresponding to the shared key composition apparatus according to the fourth aspect, and a digital corresponding to the signature information composition apparatus according to the fifth or sixth aspect. A signature synthesizing unit, and the transmission / reception unit includes N pieces of encrypted partial shared key information, N pieces of encrypted first partial ciphertext parameter information, or N pieces of encrypted parts. Any one of the premaster secret information is received and given to the decryption means of the shared key composition means, and when the second ciphertext parameter information is received, it is given to the synthesis means of the shared key composition means, and the shared key composition means The shared key information or the premaster secret information is obtained, and the encrypted N partial digital signature parameter information or the encrypted N partial digital signature information is received and digitally received. When the digital signature first parameter information, the N partial digital signature first parameter information, or the hash value is received, it is provided to the computing means of the digital signature synthesis means, The digital signature information is obtained by the synthesizing means, and the digital signature information is transmitted to a predetermined destination.

  According to an eighth aspect of the present invention, there is provided a key sharing computed delegation device, a first storage unit for storing secret key information, a second storage unit for storing first public key information, and a first storage unit for storing delegation parameter information. 3 and the unit of the cyclic group are obtained by combining the elements of the predetermined cyclic group by the number defined by the predetermined integer with the operator defined in the cyclic group. A first computing unit that performs a predetermined computing process as an element of the predetermined cyclic group based on the secret key information of the first storage unit and the first public key information of the second storage unit; A key conversion unit that converts a calculation result of the calculation unit into common key information, and decrypts the arbitrary bit string information as a ciphertext using a predetermined key information bit string. 3 shows the parameter information stored in the storage means 3 as bit string information. A decoding unit that performs decoding processing, an information input unit that inputs random number information from a predetermined interface, a unit of the cyclic group, and the cyclic group elements by the number given by a predetermined integer A result obtained by combining the operators defined in (1), wherein an integer input from the information input means is a predetermined integer, and information input from the first arithmetic means is a predetermined cyclic group element. A second computing means coupled by computation, and encrypting arbitrary bit string information with a predetermined key information bit string, wherein the common key information of the key conversion means is used as a key information bit string, and from the second computing means And encryption means for performing encryption processing using the above information as bit string information.

A key sharing computed entrusting device according to a ninth aspect of the present invention is a first storing means for storing secret key information, a second storing means for storing first public key information, and a first storing means for storing entrusted parameter information. 3 is obtained by combining the storage unit 3 and the unit element of the cyclic group by combining the elements of the predetermined cyclic group by the number defined by the predetermined integer with an operator defined in the cyclic group. A first computing means for setting the secret key information of one storage means as a predetermined integer, reading the first public key information from the second storage means and performing a predetermined calculation as an element of a predetermined cyclic group; The key conversion means for converting the information output by the calculation means to the common key information, and the arbitrary key string information is regarded as ciphertext and decrypted with a predetermined key information bit string, and the common key information is received, Information is stored as key information bit string in the third storage means. The deciphering means for performing the deciphering process using the entrusted parameter information as the bit string information, the information input means for inputting the ciphertext information from the predetermined interface, and the first integer is calculated to the power given by the second integer. A second operation means for outputting a result, wherein the integer input from the information input means is a first integer, and the information input from the decoding means is a second integer; Encrypting the bit string information with a predetermined key information bit string, comprising: encryption means for encrypting information input from the second calculation means with the common key information input from the key conversion means It is characterized by.

In the tenth aspect of the present invention, there is provided a signature information generation and computation entrusted device, wherein a first storage unit that stores secret key information, a second storage unit that stores first public key information, and a unit of a cyclic group A predetermined number of cyclic groups are combined by an operator defined in the cyclic group for a number given by a predetermined integer, and the secret key information of the first storage means is a predetermined integer, First calculation means for performing a predetermined calculation using the first public key information in the second storage means as a source of a predetermined cyclic group, and a key conversion means for converting the calculation result of the first calculation means into common key information And a random number information generating means for generating random number information and a unit of the cyclic group, the predetermined generator of the cyclic group is combined with an operator defined in the cyclic group by a number given by a predetermined integer. The random number information from the random number information generating means is assigned as a predetermined integer. A second arithmetic means for performing operation, there is to encrypt arbitrary bit string information by predetermined key information bit sequence, the information from the random number information generation unit, a common key information input from the key converting means And encryption means for encrypting.

An eleventh aspect of the present invention relates to a signature information generation computed consignment device, a first storage means for storing secret key information, a second storage means for storing first public key information, and consignment parameter information. The third storage means is connected to the unit element of the cyclic group by an operator defined in the group for the number of elements of the predetermined cyclic group by the number given by the predetermined integer. First calculation means for performing a predetermined calculation using the secret key information of the means as a predetermined integer and the first public key information of the second storage means as the element of a predetermined cyclic group, and the calculation of the first calculation means A key conversion means for converting the result into common key information; and decrypting the arbitrary bit string information as a ciphertext with a predetermined key information bit string, the common key information as a key information bit string, and a third storage means decoding hands for decoding a bit string information consignment parameter information And an information input means for inputting signature target information from a predetermined interface; and a result obtained by calculating the power of the first integer by the number given by the second integer, the information from the decryption means being obtained The second integer, the information from the information input means is the first integer, the second arithmetic means for obtaining the result of the power calculation, and the arbitrary bit string information is encrypted with a predetermined key information bit string. And encryption means for encrypting information from the second calculation means with the common key information of the key conversion means.

A computer-computed entrusting device according to a twelfth aspect of the present invention is a transmission / reception means, a key-sharing-computed entrusting unit corresponding to the key-sharing-computed entrusting device of the eighth to ninth aspects, Signature information generation / computation entrusting means corresponding to the signature information generation / computation entrusting apparatus, and the transmission / reception means receives random number information, ciphertext parameter information, or ciphertext information, It is given to the calculation consignment unit, an encryption unit key sharing the calculation consignment unit, output information encryption means signing information generating the calculation consignment unit, or an encryption unit key sharing the calculation consignment means , wherein the output information and the second calculation means of the encryption means及beauty signature information generation the calculation consignment means signature information generation the calculation consignment unit, and transmits to a predetermined communication device .

The computed entrusted device of the thirteenth aspect of the present invention receives random number information delivery management means for delivering random number information and ciphertext information, or first ciphertext parameter information and second ciphertext parameter information, and or ciphertext information, or ciphertext information delivery management means for delivering the communication apparatus behalf the second ciphertext parameter information with the delivery of the first ciphertext parameter information to another agent apparatus, a predetermined A message digest information generating unit that generates a message digest from a message, and a message digest information delivery managing unit that transmits information generated by the message digest information generating unit to another proxy device or a proxy communication device. To do.

A key sharing system according to a fourteenth aspect of the present invention is the key sharing system in which the security processing between the first communication device and the second communication device is performed by the proxy device instead of the first communication device The communication apparatus includes a delegation parameter information generating unit and a shared key synthesizing unit. N-1 second computed entrusting means corresponding to the computed entrusting apparatus, and the first computed entrusting means and each second computed entrusting means are generated by the entrusted parameter information generating means And the first calculated consignment means generates random number information and transmits it to each second calculated consignment means and the second communication device, and the first partial shared key information Is generated and transmitted to the shared key synthesizing means. The second computed entrusting unit generates second to Nth partial shared key information based on the random number information from the first computed entrusting unit, and transmits the partial shared key information to the shared key synthesizing unit. The means receives the first to Nth partial shared key information and calculates the shared key information, and the second communication apparatus receives the random number information from the first calculated delegation means and receives the shared key information. It is characterized by calculating information.

A key sharing system according to a fifteenth aspect of the present invention is a key sharing system in which a security process between a first communication device and a second communication device is performed by a proxy device on behalf of the first communication device. The communication apparatus includes a delegation parameter information generating unit and a shared key synthesizing unit. N-1 second computed entrusting means corresponding to the computed entrusting apparatus, and the first computed entrusting means and each second computed entrusting means are generated by the entrusted parameter information generating means The second communication device encrypts the premaster secret information and the premaster secret information, and generates a ciphertext composed of the first ciphertext parameter information and the second ciphertext parameter information. Shi Transmitted to the first of the calculation consignment unit, first the calculation consignment means transfers the first ciphertext parameter information to the N-1 second of the calculation consignment unit, first ciphertext parameter information after generating the first portion first ciphertext parameter information, a first portion first ciphertext parameter information, and a second ciphertext parameter information transmitted to the shared key combining means, N-1 pieces of the the calculation consignment means 2 each receiving a first ciphertext parameter information, transmitted from the first ciphertext parameter information to generate a partial first ciphertext parameter information of the second to N-th to the shared key combining means The shared key synthesizing means receives the first to Nth partial first ciphertext parameter information and the second ciphertext parameter information , and calculates premaster secret information.

A key sharing system according to a sixteenth aspect of the present invention is the key sharing system in which the security processing between the first communication device and the second communication device is performed by the proxy device instead of the first communication device. The communication apparatus includes a delegation parameter information generating unit and a shared key synthesizing unit. N-1 second computed entrusting means corresponding to the computed entrusting apparatus, and the first computed entrusting means and each second computed entrusting means are generated by the entrusted parameter information generating means And the second communication device encrypts the premaster secret information and the premaster secret information , generates ciphertext information , and transmits the ciphertext information to the first calculated consignment means, First calculated commissioning means The ciphertext information and transfers to the (N-1) second of the calculation consignment unit, from the ciphertext information to generate a first partial ciphertext information transmitted to the shared key combining means, (N-1) Each of the second computation entrusting means receives the ciphertext information, generates the second to Nth partial ciphertext information from the ciphertext information, and transmits it to the shared key synthesizing means. The first to Nth partial ciphertext information is received, and premaster secret information is calculated.

A signature information verification system according to a seventeenth aspect of the present invention is the signature information verification system in which the security processing between the first communication device and the second communication device is performed by the proxy device instead of the first communication device. The first communication apparatus includes a delegation parameter information generating unit and a signature information synthesizing unit, and the proxy device includes a first calculated delegation unit corresponding to the calculated delegation unit of the thirteenth aspect of the present invention, N-1 second calculated consignment means corresponding to the calculated consignment apparatus of the present invention, and the first calculated consignment means and each second calculated consignment means include consignment parameter information generation means. It acquires consignment parameter information generated by the first of the calculation consignment means includes a first partial digital signature parameter information, to generate a first partial digital signature first parameter information, the first partial digital signature path lame Encrypted for data information, signature and sends to the information synthesizing means, N-1 pieces of the second to-be-calculated consignment means includes a partial digital signature parameter information of the N from the second, respectively, from the second of the N Partial digital signature first parameter information is generated, and the partial digital signature parameter information is encrypted and transmitted to the signature information synthesizing means. The signature information synthesizing means includes the encrypted first to Nth partial digital signatures. The parameter information and the first to Nth partial digital signature first parameter information are received, the digital signature first parameter information and the digital signature second parameter information are calculated and transmitted to the second communication device. The second communication device receives and verifies the digital signature first parameter information and the digital signature second parameter information from the signature information synthesizing means. It is characterized in.

The signature information verification system according to an eighteenth aspect of the present invention is the signature information verification system in which the security processing between the first communication device and the second communication device is performed by the proxy device instead of the first communication device. The first communication apparatus includes a delegation parameter information generating unit and a signature information synthesizing unit, and the proxy device includes a first calculated delegation unit corresponding to the calculated delegation unit of the thirteenth aspect of the present invention, N-1 second calculated consignment means corresponding to the calculated consignment apparatus of the present invention, and the first calculated consignment means and each second calculated consignment means include consignment parameter information generation means. get the consignment parameter information generated by, N-1 pieces of the second to-be-calculated consignment means includes a partial digital signature parameter information of the N from the second respectively, partial digital from second to N Raw signature first parameter information And, for the first partial digital signature parameter information is encrypted and transmitted to the first of the calculation consignment unit, first the calculation consignment means includes a first partial digital signature parameter information , as well as encryption for the first partial digital signature parameter information to generate a first partial digital signature first parameter information, and the partial digital signature first parameter information from the second to N, encrypted from the second receiving the partial digital signature parameter information up to the N, the digital signature first parameter information of partial digital signature first parameter information from the second to the N attached at predetermined operation generated by the partial digital signature parameter information from the first encrypted until the N, the digital signature first parameter information, and sends the signature information synthesizing unit, the signature information Combining means from said first encrypted and partial digital signature parameter information of the N, and receives the digital signature first parameter information, calculates a digital signature second parameter information, the digital signature first The two parameter information is transmitted to the second communication device together with the digital signature first parameter information, and the second communication device receives the digital signature first parameter information and the digital signature second parameter information from the signature information combining means. It is characterized by receiving and verifying.

  A signature information verification system according to a nineteenth aspect of the present invention is the signature information verification system in which the security processing between the first communication device and the second communication device is performed by the proxy device instead of the first communication device. The communication apparatus comprises signature information synthesizing means, and the proxy apparatus corresponds to the first calculated consignment means corresponding to the calculated consignment apparatus of the thirteenth aspect of the invention and the calculated consignment apparatus of the twelfth aspect of the invention. N-1 second calculated delegation means, and the first calculated delegation means generates first partial digital signature information and transmits it to the signature information synthesizing means. Each of the second calculation entrusting means generates second to Nth partial digital signature information and sends it to the signature information synthesizing means, and the signature information synthesizing means outputs the first to Nth partial digital signature information. Receive and calculate the digital signature information Transmitted to the communication apparatus, the second communication device from the first communication device receives the digital signature information, and wherein the verifying.

  A communication system according to a twentieth aspect of the present invention comprises the key sharing system according to any of the fourteenth to sixteenth aspects of the present invention and the signature information verification system according to any of the seventeenth to nineteenth aspects of the present invention. To do.

  ADVANTAGE OF THE INVENTION According to this invention, the key exchange process and authentication process regarding communication between communication apparatuses can be performed on behalf of a communication apparatus, maintaining the reliability of the confidential information maintenance to a substitution apparatus.

It is a lineblock diagram showing the whole system configuration of a 1st embodiment. It is an internal block diagram which shows the internal structure of the 1st communication apparatus of 1st Embodiment. It is an internal block diagram which shows the internal structure of the primary calculation consignment apparatus of 1st Embodiment. It is an internal block diagram which shows the internal structure of the secondary calculation consignment apparatus of 1st Embodiment. It is an internal block diagram which shows the internal structure of the 2nd communication apparatus of 1st Embodiment. It is a sequence diagram which shows operation | movement of the key sharing of 1st Embodiment, and an authentication process. It is an internal block diagram which shows the internal structure of the 1st communication apparatus of 2nd Embodiment. It is an internal block diagram which shows the internal structure of the primary calculation consignment apparatus of 2nd Embodiment. It is an internal block diagram which shows the internal structure of the secondary calculation consignment apparatus of 2nd Embodiment. It is an internal block diagram which shows the internal structure of the 2nd communication apparatus of 2nd Embodiment. It is a sequence diagram which shows operation | movement of the key sharing of 2nd Embodiment, and an authentication process.

(A) Basic concept of the present invention In the present invention, in a communication between a plurality of communication devices, a device to be calculated is substituted for a part of a calculation related to a security process between the communication devices.

  The entrusted device for execution executes a part of key agreement calculation, PKI decryption calculation, and digital signature calculation that satisfy the following five conditions.

  The key sharing calculation method exemplifies the Diffie-Hellman (elliptic curve Diffie-Hellman) key sharing calculation method.

[5 conditions]
(1) The calculation entrusted device must be able to execute the entrusted calculation without handling any secret other than the secret key information corresponding to its own public key registered in the PKI (Public Key Infrastructure).

(2) The calculation entrusted device cannot know the shared key.

(3) The key sharing protocol corresponds to the Diffie-Hellman (elliptic curve Diffie-Hellman) key sharing protocol or the premaster secret delivery key sharing protocol, and corresponds to authentication by verification of a digital signature as an authentication protocol.

(4) In the authentication / key agreement processing calculation, the amount of calculation on the communication device side entrusting the calculation requires a calculation amount corresponding to a power calculation on a finite field or a scalar multiplication of a rational point on an elliptic curve. Don't do it.

(5) The load on the communication network including the communication device is such that the traffic between the communication device and the calculation entrusted device is within one round trip per authentication / key sharing.

(B) First Embodiment In the following, the entrusted parameter information generating apparatus, shared key synthesizing apparatus, signature information synthesizing apparatus, communication apparatus, key sharing computed entrusting apparatus, signature information generating computed entrusting apparatus, computed A first embodiment of a consignment device, a key sharing system, a signature information verification system, and a communication system will be described in detail with reference to the drawings.

  In the first embodiment, the Diffie-Hellman key agreement protocol is adopted as the key agreement protocol between the first communication device and the second communication device, and digital signature verification is adopted as the authentication method. Will be explained.

(B-1) Configuration of the First Embodiment (B-1-1) Overall Configuration of the System FIG. 1 is a configuration diagram showing the overall configuration of the system of the first embodiment. In FIG. 1, the system 1 of the first embodiment is configured to include at least a first communication device 100, a second communication device 400, a primary calculated consignment device 200, and a secondary calculated consignment device 300.

  In addition, the calculation consignment apparatus of this invention has the primary calculation consignment apparatus 200 and the secondary calculation consignment apparatus 300. FIG.

  The first communication device 100 is a communication device mounted on a terminal such as a sensor or a smart terminal, for example, and is a communication device with limited network bandwidth, power consumption, and the like.

  The first communication device 100 performs data communication by multi-hop communication. In FIG. 1, when the first communication device 100 performs data communication toward the second communication device 400, the first communication device 100 is connected to the network 2 by multi-hop communication (first communication device). 100). Also, when performing the security process between the first communication device 100 and the second communication device 400, the first communication device 100 is connected to the primary calculation entrusted device 200 and the secondary device via the termination device. Communication with the calculation entrusting apparatus 300 is performed.

  The second communication device 400 is a communication device mounted on a service providing server or the like that exists on the network.

  The primary calculated entrusting device 200 and the secondary calculated entrusting device 300 constitute the calculated entrusted device of the present invention, and act as a proxy for a part of the calculation to be executed by the first communication device 100 in the authentication key sharing protocol. To do.

  In FIG. 1, the primary calculation entrusting apparatus 200 and the secondary calculation entrusting apparatus 300 are shown as physically different apparatuses, but various functions of the primary calculation entrusting apparatus 200 and the secondary calculation entrusting apparatus 300 described later. Can be executed, the primary calculated consignment device 200 and the secondary calculated consignment device 300 may be provided in the same device.

  In the description of the first embodiment, g is a generator of the cyclic group <G,.> And is a parameter common to the system. N is the order of the cyclic group G.

  The integer x is a secret key of the first communication apparatus 100, and P_X = g ^ x is a public key of the first communication apparatus 100.

  The integer v is the secret key of the second communication apparatus 400, and P_V = g ^ v is the public key of the second communication apparatus 400.

  The integer d_1 is the secret key of the primary calculated consignment device 200, and P_D1 = g ^ d_1 is the public key of the primary calculated consignment device 200.

  The integer d_2 is a secret key of the secondary calculation entrusting apparatus 300, and P_D1 = g ^ d_2 is a public key of the secondary calculation entrusting apparatus 300.

  Α · β∈G in the cyclic group G means that an operation defined in the cyclic group G is performed with α and β as operands. Α ^ βεG means that an operation defined in the cyclic group G is performed β times with α as an operand. Α / βεG means that an operation defined by the cyclic group G is performed using α and an inverse element of β defined by the cyclic group as operands.

  For example, when the cyclic group G is a group formed by rational points on the elliptic curve E, α · β∈G means the elliptic addition of α and β on the elliptic curve E, and α ^ β∈G is An elliptic scalar β multiplication of α means α / βεG means an elliptic subtraction of β from α.

  For example, when the cyclic group G is a finite field multiplicative group, α · β∈G means multiplication of α and β, α ^ β∈G means α to the βth power, and α / β ∈G means the division of α by β. X_Y is the same as when Y is subscripted for X.

  In addition, the shared key K_XD1 of the shared key encryption algorithm is shared in advance between the first communication device 100 and the primary calculated consignment device 200, and between the first communication device 100 and the secondary calculated consignment device 300. Assume that the shared key K_XD2 is shared in advance.

(B-1-2) Internal Configuration of First Communication Device 100 FIG. 2 is an internal configuration diagram showing the internal configuration of the first communication device 100. In FIG. 2, the first communication device 100 includes a transmission / reception unit 101, a secret key information storage unit 102, a public key certificate acquisition unit 103, a secret key information division unit 104, a delegation parameter generation unit 105, and a partial shared key decryption unit 106. A shared key composition unit 107, a partial signature parameter decryption unit 108, a signature parameter composition unit 109, and a signature generation unit 110.

  In FIG. 2, what includes at least the secret key information storage unit 102, the public key certificate acquisition unit 103, the secret key information division unit 104, and the delegation parameter generation unit 105 is also referred to as a delegation parameter information generation device 11.

  In FIG. 2, a device including at least the secret key information storage unit 102, the partial shared key decryption unit 106, and the shared key synthesis unit 107 is also referred to as a shared key synthesis device 12.

  Further, in FIG. 2, what includes at least the secret key information storage unit 102, the partial signature parameter decryption unit 108, the signature parameter synthesis unit 109, and the signature generation unit 110 is also referred to as a digital signature synthesis apparatus 13.

  The transmission / reception unit 101 communicates at least with the primary calculated consignment device 200 and the secondary calculated consignment device 300 using a predetermined communication protocol.

  The secret key information storage unit 102 securely stores at least the secret key x of the public key pair (secret key x, public key P_X = g ^ X). The secret key information storage unit 102 also stores encryption key information K_XD1 shared between the primary calculation entrusted devices 200 and encryption key information K_XD2 shared between the secondary calculated entrusted devices 300. The secret key information storage unit 102 may store the calculation result of the shared key combining unit 107, that is, the shared key information K.

  The public key certificate acquisition unit 103 can acquire an arbitrary public key certificate and verifies the signature of the acquired public key certificate.

  Here, the public key certificate is the public key, identification information of its owner (including information such as validity period, issuer, signature algorithm, etc.) and the secret of the public key based CA for these information It consists of a digital signature signed with a key. The public key certificate is a ITU-T (International Telecommunication Union Telecommunication Standardization Sector) X. There is a 509 standard, which can be applied.

  The public key certificate acquisition unit 103 stores a public key of a public key based certificate authority in advance, and uses the public key of a public key based certificate authority (not shown) stored therein as the digital signature information. Verification can be performed by using a predetermined verification algorithm.

  The public key certificate acquisition method is not particularly limited. For example, the transmission / reception unit 101 may receive and acquire a public key certificate from a public key-based certificate authority, or, for example, another input interface (for example, It may be acquired via a USB memory device, a maintenance device, or the like. In this embodiment, it is assumed that the public key certificate acquisition unit 103 acquires the public key certificate received by the transmission / reception unit 101.

The secret key information dividing unit 104 divides the secret key x stored in the secret key information storage unit 102 into N pieces as shown in Expression (1-1), and generates the delegation parameter for the divided secret information. This is given to the unit 105. In this embodiment, a case where N = 2 will be described as an example. In other words, the secret key information dividing unit 104 divides the secret key x into two to generate secret key information x_1 and x_2.

The entrusted parameter generation unit 105 includes the secret key x from the secret key information storage unit 102, the secret key information x_1 and x_2 divided from the secret key information division unit 104, and the second communication device 400 from the public key certificate acquisition unit 103. Public key information P_V, public key information P_D1 of the primary calculated entrusting device 200, and public key information P_D2 of the secondary calculated entrusting device 300, and receiving the entrusting parameter information T_1 for the primary calculated entrusting device 200 using the formula ( It is generated according to 1-2). Further, the commission parameter generation unit 105 transmits the computed commission parameter information T_1 to the primary computed commission device 200.

  However, enc (K, M) is a function for encrypting the bit string M as the key information of the bit string K. F (X) is a function that converts an element X of G into a key information bit string. Specifically, a method of obtaining a bit string having a predetermined key length by inputting a bit string representation of X into a SHA-256 (Secure Hash Algorithm: Federal Information Processing Standards Publication 180-2) hash function is conceivable. The key bit string information K_XD1 may be stored in the secret key information storage unit 102 in advance.

The entrustment parameter generation unit 105 generates entrustment parameter information T_2 for the secondary calculated entrustment device 300 according to the following equation (1-3). In addition, the commission parameter generation unit 105 transmits the generated commission parameter information T_2 for the secondary calculation consignment apparatus 300 to the secondary calculation consignment apparatus 300.

  The key bit string information K_XD2 may be stored in advance in the secret key information storage unit 102.

  The partial shared key decryption unit 106 includes the partial shared key information enc (K_XD1, K_1) transmitted by the primary computable entrusting device 200 encrypted with the shared key K_XD1 shared in advance with the first communication device 100. The secondary companion entrusting apparatus 300 receives the partial shared key information enc (K_XD2, K_2) that is encrypted and transmitted with the shared key K_XD2 shared in advance with the first communication apparatus 100, and receives the partial shared key. The information enc (K_XD1, K_1) is decrypted into the partial shared key information K_1, and the partial shared key information enc (K_XD2, K_2) is decrypted into the partial shared key information K_2. The partial shared key decryption unit 106 provides the decrypted K_1 and K_2 to the shared key composition unit 107.

  However, enc (K, M) means that a predetermined shared key encryption algorithm is calculated from the bit string M using the shared key bit string K. Here, enc (K_XD2, K_2) may be sent from the secondary calculated consignment device 300 to the primary calculated consignment device 200, and may be sent from the primary calculated consignment device 200 to the first communication device.

The shared key composition unit 107 receives the partial shared key information K_1 and K_2 from the partial shared key decryption unit 106, and uses the partial shared key information K_1 and K_2 to communicate with the second communication apparatus 400 according to the equation (1-4). The shared key information K between them is obtained.

  The partial signature parameter decryption unit 108 transmits the first partial digital signature calculation parameter information that is transmitted by the primary calculation entrusted device 200 after being encrypted with the shared key K_XD1 shared in advance with the first communication device 100. enc (K_XD1, κ_1), the first partial digital signature first parameter information ρ_1, and the message digest information h are received, and the secondary companion entrusting device 300 shares in advance with the first communication device 100. Receiving the second partial digital signature calculation parameter information enc (K_XD2, κ_2) and the second partial digital signature first parameter information ρ_2 transmitted after being encrypted with the shared key K_XD2 and decrypting κ_1 and κ_2, respectively. Is. The partial signature parameter decryption unit 108 gives the decrypted partial digital signature calculation parameter information κ_1 and κ_2, the received partial digital signature first parameter information ρ_1 and ρ_2, and the message digest h to the signature parameter composition unit 109. It is. Here, enc (K_XD2, κ_2) may be sent from the secondary calculation consignment device 300 to the primary calculation consignment device 200, and may be sent from the primary calculation consignment device 200 to the first communication device 100.

The signature parameter synthesizing unit 109 receives the partial digital signature calculation parameters κ_1 and κ_2, the partial digital signature first parameters ρ_1 and ρ_2, and the message digest h from the partial signature parameter decryption unit 108, and performs digital conversion according to the following equation (1-5). The signature calculation parameter information κ and the digital signature first parameter information ρ are obtained. In addition, the signature parameter synthesis unit 109 provides the digital signature calculation parameter information κ and the digital signature first parameter information ρ to the signature generation unit 110.

  However, if κ and n are not relatively prime, the primary calculated consignment device 200 and the secondary calculated consignment device 300 have the parameters regenerated.

  In particular, when the signature algorithm is ECDSA (Elliptic Curve Digital Signature Algorithm), ρ is a rational point vector, and the first component is regarded as an unsigned integer bit string, and the remainder obtained by dividing this by n Let it be ρ again.

  However, when ρ is 0 or 1, the primary calculated entrusting device 200 or the secondary calculated entrusting device 300 is allowed to generate κ_1 or κ_2 again until 2 ≦ ρ ≦ n−1, and again ρ is calculated.

The signature generation unit 110 generates the second digital signature parameter information σ among the digital signature information ρ and σ using the above-described κ and ρ input from the signature parameter synthesis unit 109 by the following equation (1-6). Is.

(B-1-3) Internal Configuration of Primary Computed Consignment Device 200 FIG. 3 is an internal configuration diagram showing an internal configuration of the primary computed commissioned device 200 according to the first embodiment.

  In FIG. 3, the primary computable device 200 includes a transmission / reception unit 201, a secret key information storage unit 202, a consignment parameter storage unit 203, a key sharing parameter generation unit 204, a partial shared key calculation unit 205, and a key sharing parameter delivery management unit 206. A message digest information generation unit 207, a partial signature parameter generation unit 208, and a public key certificate acquisition unit 209.

  The transmission / reception unit 201 communicates with the first communication device 100, the second communication device 400, or the secondary calculation entrusted device 300 using a predetermined communication protocol.

  The secret key information storage unit 202 securely stores at least the secret key d_1 in the public key pair (secret key d_1, public key P_D1 = g ^ d_1). The secret key information storage unit 202 may also store pre-shared key information K_XD1 shared with the first communication device 100.

Here, the pre-shared key information K_XD1 may be derived according to the formula (1-7), for example, without being stored in the secret key information storage unit 202.

  The entrusted parameter storage unit 203 stores the entrusted parameter information T_1 calculated by the first communication device 100. In the first embodiment, the transmission / reception unit 201 receives the commission parameter information T_1 from the first communication apparatus 100 via the communication path with the first communication apparatus 100. The commission parameter information T_1 may be set via another input interface (for example, a USB memory or a maintenance device). Further, the entrustment parameter storage unit 203 does not need to safely manage the entrustment parameter information T_1 so as not to leak.

  The key sharing parameter generation unit 204 generates a key sharing parameter r and gives the generated key sharing parameter r to the partial shared key calculation unit 205 and the key sharing parameter delivery management unit 206. For example, the key sharing parameter generation unit 204 has a (pseudo) random number generation function, and sets the generated random number information as r.

  The key sharing parameter r is generated by the primary computing entrusted device 200 and notified to the second communication device 400 as will be described later, but the second communication device 400 uses the key sharing parameter r. And the key sharing parameter r may be notified to the primary calculation entrusted device 200. Further, both the primary computed entrusted device 200 and the second communication device 400 may generate and exchange random numbers, and generate the shared parameter r by, for example, inputting and calculating both random numbers into a hash function. .

The partial shared key calculation unit 205 includes the delegate parameter information T_1 from the delegate parameter storage unit 203, the secret key information d_1 and K_XD1 from the secret key information storage unit 202, the key share parameter r from the key share parameter generation unit 204, and the public key. The public key information P_X of the first communication device 100 is read from the certificate acquisition unit 209, and the partial shared key information K_1 is calculated by the following equation (1-8). Further, the partial shared key calculation unit 205 encrypts the partial shared key information with the first communication apparatus 100 using the pre-shared key K_XD1 and transmits the encrypted partial shared key information to the first communication apparatus 100.

  The message digest information generation unit 207 generates a hash value (message digest information) h of a predetermined message using a hash function. Further, the message digest information control unit 207 transmits the generated message digest information h to the first communication device 100.

  For the message, for example, information used as an input in generating a Certificate Verify message of TLS 1.2 (Transport Layer Security 1.2) can be applied, but the present invention is not limited to this.

The partial signature parameter generation unit 208 randomly generates κ_1 as the first partial digital signature calculation parameter information. The partial signature parameter generation unit 208 generates the first partial digital signature first parameter information according to the following equation (1-9). Further, the partial signature parameter generation unit 208 encrypts the first partial digital signature calculation parameter information κ_1 with the pre-shared key K_XD1 with the first communication device 100, and the first partial digital signature calculation parameter information ρ_1. At the same time, the data is transmitted to the first communication device 100. Alternatively, the information may be sent to the primary calculated consignment device 200 and sent from the primary calculated consignment device 200 to the first communication device 100.

  The public key certificate acquisition unit 209 can acquire the public key certificate of the first communication apparatus 100, and verifies the signature of the acquired public key certificate.

(B-1-4) Internal Configuration of Secondary Calculated Consignment Device 300 FIG. 4 is an internal configuration diagram showing the internal configuration of the secondary calculated consignment device 300 of the first embodiment. In FIG. 4, the secondary computing entrustment device 300 includes a transmission / reception unit 301, a secret key information storage unit 302, a commission parameter storage unit 303, a partial shared key calculation unit 304, a partial signature parameter generation unit 305, and a public key certificate acquisition unit 306. Have

  In FIG. 4, what includes at least the secret key information storage unit 302, the delegation parameter storage unit 303, the partial shared key calculation unit 304, and the public key certificate acquisition unit 306 is also referred to as a key sharing computed delegation device 31.

  In FIG. 4, a device including at least the secret key information storage unit 302 and the partial signature parameter generation unit 305 is also referred to as a digital signature generation calculation entrusted device 32.

  The transmission / reception unit 301 communicates between the first communication device 100 and the primary calculation entrusted device 300 using a predetermined communication protocol.

The secret key information storage unit 302 securely stores at least the secret key d_2 of the public key pair (secret key d_2, public key P_D = g ^ d_2). The secret key information storage group 202 may also store pre-shared key information K_XD2 shared with the first communication device 100. The pre-shared key information K_XD2 may be derived according to the following equation (1-10) without being stored in the secret key information storage unit 202.

  The entrusted parameter storage unit 303 stores the entrusted parameter information T_2 calculated by the first communication device 100. In the first embodiment, the transmission / reception unit 301 receives the commission parameter information T_2 from the first communication device 100 via the communication path with the first communication device 100. The consignment parameter information T_2 may be set via another input interface (for example, a USB memory or a maintenance device). The entrusted parameter storage unit 303 does not have to manage safely so as not to leak the entrusted parameter information T_2.

The partial shared key calculation unit 304 includes the delegation parameter information T_2 from the delegation parameter information storage unit 303, the secret key information d_2 and K_XD2 from the secret key information storage unit 302, and the key sharing parameter r received from the primary computed delegation device 200. The public key information P_X of the first communication device 100 is received from the public key certificate acquisition unit 306, and the partial shared key information K_2 is obtained according to the following equation (1-11). Further, the partial shared key calculation unit 304 encrypts with the pre-shared key K_XD2 with the first communication device 100 and transmits the encrypted information to the first communication device 100. Alternatively, the information may be sent to the primary calculated consignment device 200 and sent from the primary calculated consignment device 200 to the first communication device 100.

The partial signature parameter generation unit 305 randomly generates κ_2 as the second partial digital signature calculation parameter information. The partial signature parameter generation unit 305 generates the second partial digital signature first parameter information ρ_2 according to the following equation (1-12). Further, the partial signature parameter generation unit 305 encrypts the second partial digital signature calculation parameter information κ_2 with the pre-shared key K_XD2 with the first communication device 100, and outputs the second partial digital signature first parameter information. It transmits to the 1st communication apparatus 100 with (rho) _2. Alternatively, the information may be sent to the primary calculated consignment device 200 and sent from the primary calculated consignment device 200 to the first communication device 100.

  The public key certificate acquisition unit 306 can acquire the public key certificate of the first communication device 100, and verifies the signature of the acquired public key certificate.

(B-1-5) Internal Configuration of Second Communication Device 400 FIG. 5 is an internal configuration diagram illustrating an internal configuration of the second communication device 400 according to the first embodiment. In FIG. 5, the second communication device 400 includes a transmission / reception unit 401, a secret key information storage unit 402, a shared key calculation unit 403, a message digest information generation unit 404, a signature verification unit 405, and a public key certificate acquisition unit 406. .

  The transmission / reception unit 401 communicates with at least the primary calculation entrusted device 200 using a predetermined communication protocol.

  The secret key information storage unit 402 securely stores at least secret key information among public key pairs issued from public key infrastructure (PKI) certificate authorities.

The shared key calculation unit 403 reads the public key information P_X of the first communication device 100 read from the public key certificate acquisition unit 406, the secret key information v read from the secret key information storage unit 402, and the key received from the transmission / reception unit 401. The shared parameter r is received and the shared key K is obtained according to the equation (1-13).

The message digest information generation unit 404 generates a hash value h of a predetermined message using a hash function, and gives the message digest information h ₀ to the signature verification unit 405.

The signature verification unit 405 receives the digital signature first parameter information ρ and the digital signature second parameter information σ as the signature information from the first communication device 100, and uses the message digest value h ₀ from the message digest information generation unit 404 as the signature information. It is determined whether or not the following equation (1-14) is established.

However, when the signature algorithm is ECDSA, the signature verification unit 405 uses the first rational point vector V obtained by the calculation represented by the following equation (1-15) instead of the equation (1-14). It is determined whether the component and ρ are equal.

  The public key certificate acquisition unit 406 can acquire an arbitrary public key certificate and verifies the signature of the acquired public key certificate.

(B-2) Operation of the First Embodiment FIG. 6 is a sequence diagram showing the operation of the key sharing / authentication process of the first embodiment.

(B-2-1) Preparation Step (S100) The first communication device 100 generates consignment parameter information T_1 to be given to the primary calculation consignment device 200 and consignment parameter information T_2 to be given to the secondary calculation consignment device 300. .

  Then, the first communication device 100 transmits the commission parameter information T_1 to the primary calculation consignment device 200, and transmits the commission parameter information T_2 to the secondary calculation consignment device 300.

  Here, an example of a method for generating the commission parameter information T_1 and T_2 will be described.

  First, in the first communication device 100, the public key information acquisition unit 103, via the transmission / reception unit 101, the public key certificate CERT_D1 of the primary calculated consignment device 200 and the public key certificate CERT_D2 of the secondary calculated consignment device 300. The public key certificate CERT_V of the second communication device 400 is received and the public key information acquisition unit 103 is acquired.

  Next, the public key information acquisition unit 103 verifies the acquired public key certificates CERT_D1, CERT_D2, and CERT_V, and public key information P_D1 of the primary computing entrustment device 200 and public key information P_D2 of the secondary computing entrustment device 300. The public key information P_V of the second communication device 400 is given to the entrusted parameter generation unit 105.

  The consignment parameter generation unit 105 uses the public keys P_D1, P_D2, and P_V from the public key information acquisition unit 103 and the secret key information X read from the secret key information storage unit 102, and uses equations (1-1) and ( The commission parameter information T_1 and T_2 are generated according to 1-2).

  Then, the entrusted parameter generation unit 105 transmits the entrusted parameter information T_1 to the primary calculated entrusted device 200 and transmits the entrusted parameter information T_2 to the secondary calculated entrusted device 300.

  At this time, the primary calculated consignment device 200 stores the received consignment parameter information T_1 in the consignment parameter information storage unit 203. Further, the secondary calculation entrustment device 300 stores the received entrustment parameter information T_2 in the entrustment parameter information storage unit 303.

  The above is the procedure of the preparation step.

  Note that the preparation step is not necessarily performed in the first communication device 100. Another device having the functions of the secret key information of the first communication device 100, the secret information division unit 104, and the entrusted parameter generation unit 105 may perform this preparation step. In the first embodiment, the first communication device 100 performs this preparation step.

(B-2-2) Key Sharing / Authentication Step (S101) In the primary calculation entrusted device 200, the key sharing parameter generation unit 204 uses the integer r (2 ≦ r) necessary for key sharing with the second communication device 400. ≦ n−1) is randomly generated, and the generated integer r is transmitted as a shared key parameter to the second communication device 400 and the secondary calculation entrusted device 300.

  In the second communication device 400, the public key certificate acquisition unit 406 acquires the public key certificate CERT_X of the first communication device 100 received by the transmission / reception unit 401, and the public key P_X of the first communication device 100. Is given to the shared key calculation unit 403.

  (S102) In the second communication device 400, the shared key calculation unit 403 receives the shared key parameter r from the primary calculation target entrusting device 200 via the transmission / reception unit 401 and the first key from the public key information certificate acquisition unit 406. Using the public key information P_X of the communication device 100 and the secret key information V read from the secret key information storage unit 402, the shared key information K is obtained according to the equation (1-13).

  (S103) On the other hand, in the primary computable device 200, the partial shared key calculation unit 205 includes the consignment parameter information T_1 read from the consignment parameter information storage unit 203 and the secret key information d_1 read from the private key information storage unit 202. Using the key sharing parameter r generated in step S101 and the public key information P_X of the first communication device 100 acquired by the public key certificate acquisition unit 209, the partial shared key K_1 is obtained according to the equation (1-8). Ask. Then, the partial shared key calculation unit 205 transmits enc (K_XD1, K_1) obtained by encrypting the calculation result with the shared key K_XD1 shared in advance with the first communication device 100 to the first communication device 100.

  (S104) Moreover, in the secondary calculation entrustment device 300, the partial shared key calculation unit 304 includes the entrustment parameter information T_2 read from the entrustment parameter information storage unit 303 and the secret key information d_2 read from the secret key information storage unit 302. Then, using the received key sharing parameter and the public key information P_X of the first communication device 100 acquired by the public key certificate acquisition unit 306, the partial shared key K_2 is obtained according to the equation (1-11). Then, partial shared key calculation section 304 transmits enc (K_XD2, K_2) obtained by encrypting the calculation result with shared key K_XD2 shared in advance with first communication apparatus 100 to first communication apparatus 100.

  (S105) In the first communication device 100, the partial shared key decryption unit 106 uses the two partial shared key information encrypted with the pre-shared keys K_XD1 and K_XD2, respectively, enc (K_XD1, K_1) and enc (K_XD2, K_2) is decrypted, and decryption results K_1 and K_2 are given to the shared key composition unit 107. Then, the shared key composition unit 107 obtains the shared key information K according to the equation (1-4) using the partial shared key information K_1 and K_2, and stores the obtained shared key information K in the secret key information storage unit 102. Let

  (S106) Next, in the primary computing entrustment device 200, the partial signature parameter generation unit 208 sets the integer κ_1 as the first partial signature parameter of the primary computing entrustment device 200 in the domain 2 ≦ κ_1 ≦ n−1. Generate randomly. The partial signature parameter generation unit 208 first encrypts en (K_XD1, κ_1) obtained by encrypting κ_1 with the pre-shared key K_XD1 with the first communication device 100 stored in the secret key information storage unit 202. To the communication device 100. Also, the partial signature parameter generation unit 208 obtains the second partial signature parameter ρ_1 according to the equation (1-9) using the first partial signature parameter κ_1, and transmits the second partial signature parameter ρ_1 to the first communication device 100. Further, the message digest information generation unit 207 calculates a hash value h of predetermined message information, and transmits this hash value h to the first communication device 100 as message digest information.

  (S107) On the other hand, in the secondary calculated consignment device 300, the partial signature parameter generation unit 305 defines the integer κ_2 as the third partial signature parameter of the secondary calculated consignment device 300, similarly to the primary calculated consignment device 200. Randomly generated in the region 2 ≦ κ_2 ≦ n−1. Then, the partial signature parameter generation unit 305 first sets enc (K_XD2, κ_2) obtained by encrypting κ_2 with the pre-shared key K_XD2 with the first communication device 100 stored in the secret key information storage unit 302. To the communication device 100. Further, the partial signature parameter generation unit 305 obtains the fourth partial signature parameter ρ_2 according to the equation (1-12) using the third partial signature parameter κ_2, and transmits the fourth partial signature parameter ρ_2 to the first communication device 100.

  (S108) In the first communication device 100, the partial signature parameter decryption unit 106 uses the secret key information K_XD1 in the secret key information storage unit 102 to enc (K_XD1, κ_1), ρ_1 from the primary computed entrusted device 200 , H are decrypted. The partial signature parameter decryption unit 106 decrypts enc (K_XD2, κ_2) and ρ_2 from the primary computed entrusted device 200 using the secret key information K_XD2 in the secret key information storage unit 102. Then, the signature parameter composition unit 109 obtains ρ and κ according to Expression (1-5) using the decrypted partial signature parameters κ_1, κ_2, ρ_1, and ρ_2. Further, the signature generation unit 110 obtains σ according to the equation (1-6) using the message digest information h, ρ, and κ, and transmits the digital signature information (ρ, σ) to the second communication device 400.

(S109) In the second communication device 400, ρ and σ received from the first communication device 100, and the public read from the public key certificate of the first communication device 100 acquired by the public key certificate acquisition unit 406. The key information P_V, the generation source g, and the message digest value h ₀ calculated by the message digest information generation unit 404 are given to the signature verification unit 405, and the signature verification unit 405 uses an equation represented by equation (1-14). Whether or not is satisfied is determined, and if it is satisfied, the authentication is successful, and if not, the authentication is failed.

(B-3) Effects of First Embodiment From the above, the first embodiment has the following effects.

  The secret key information used for calculating the shared key K_1 or K_2 is only the secret keys d_1 and d_2, respectively.

  The shared key K is obtained when the first communication device 100 receives and synthesizes the results calculated by the primary calculated consignment device 200 and the secondary calculated consignment device 300, so that all the calculated consignment devices have the shared key K. I don't know. For this reason, even if either one of the calculated consignment devices is hijacked, the attacker cannot synthesize the shared key K if the other calculated consignment device layer is safe.

  According to the first embodiment, the Diffie-Hellman (or elliptic curve Diffie-Hellman) key sharing protocol and authentication using a digital signature are used between the first communication device 100 and the second communication device 400. The first communication device 100 can execute the authentication key sharing protocol while entrusting some computations to the primary calculated consignment device 200 and the secondary calculated consignment device 300.

  The amount of calculation required on the first communication device 100 side is to perform decryption of the shared key calculation and multiplication on the finite field at most twice, or addition of the rational points on the elliptic curve in total two times.

  As described above, among the five conditions described in the basic concept of the present invention, (1) to (4) are satisfied.

  Further, the information to be transmitted from the secondary calculation consignment device 300 to the first communication device 100 is once passed through the primary calculation consignment device 200, so that the primary calculation consignment device 200 is encrypted. Shared key information enc (K_XD1, K_1), enc (K_XD2, K_2), partial signature parameter information enc (K_XD1, κ_1), enc (K_XD2, κ_2), ρ_1, ρ_2, and message digest information h To the first communication device 100, the first communication device 100 transmits the signature parameter information ρ and σ to the primary calculated consignment device 200, and the primary calculated consignment device 200 relays to the second communication device 400. By doing this, the number of communications between the first communication device 100 and the calculation entrusted device is set to one round trip. It is possible.

  As described above, (A) a system that satisfies the five conditions described in the basic concept of the present invention can be realized.

(C) Second Embodiment Next, the entrusted parameter information generating apparatus, shared key synthesizing apparatus, signature information synthesizing apparatus, communication apparatus, key sharing computed entrusting apparatus, signature information generating entrusted apparatus, computed A second embodiment of a consignment device, a key sharing system, a signature information verification system, and a communication system will be described in detail with reference to the drawings.

(C-1) Configuration of the Second Embodiment The second embodiment is implemented by encrypting the premaster secret with the public key of the first communication device and distributing the key as a key sharing protocol. An embodiment in the case where the same digital signature verification as in the first embodiment is employed will be exemplified.

  Since the overall configuration of the second embodiment is the same as that of the first embodiment, the second embodiment will be described with reference to FIG.

  In the second embodiment, the first communication device 100 is replaced with the first communication device 500, the second communication device 400 is replaced with the second communication device 800, and the primary calculation target is calculated. Instead of the entrusted device 200, it is expressed as a primary calculated entrusted device 600, and instead of the secondary calculated entrusted device 300, it is expressed as a secondary calculated entrusted device 700.

(C-1-1) Internal Configuration of First Communication Device 500 FIG. 7 is an internal configuration diagram showing an internal configuration of the first communication device 500 of the second embodiment. In FIG. 7, the first communication device 500 includes a transmission / reception unit 501, a secret key information storage unit 502, a public key certificate acquisition unit 503, a secret key information division unit 504, a delegation parameter generation unit 505, a partial first ciphertext parameter. The information decoding unit 506 includes a premaster secret information synthesis unit 507, a partial signature parameter decryption unit 508, a signature parameter synthesis unit 509, and a signature generation unit 510.

  The transmission / reception unit 501, the private key information storage unit 502, the public key certificate acquisition unit 503, and the private key information division unit 504 are the transmission / reception unit 101, private key information storage unit 102, and public key certificate acquisition of the first embodiment, respectively. Since it has the same function as the unit 103 and the secret key information dividing unit 104, detailed description in the second embodiment is omitted.

  Also, the partial signature parameter decryption unit 508, signature parameter synthesis unit 509, and signature generation unit 510 have the same functions as the partial signature parameter decryption unit 108, signature parameter synthesis unit 109, and signature generation unit 510 of the first embodiment, respectively. Therefore, detailed description in the second embodiment is omitted.

  In FIG. 7, what includes at least the secret key information storage unit 502, the public key certificate acquisition unit 503, the secret key information division unit 504, and the entrustment parameter generation unit 505 is also referred to as the entrustment parameter information generation device 21.

  In FIG. 7, at least the secret key information storage unit 502, the partial first ciphertext parameter information decryption unit 506, and the premaster secret information synthesis unit 507 are also referred to as a shared key synthesis device 22.

  Further, in FIG. 7, what includes at least the secret key information storage unit 202, the partial signature parameter decryption unit 508, the signature parameter synthesis unit 509, and the signature generation unit 510 is also referred to as a digital signature synthesis device 23.

  The entrustment parameter generation unit 505 includes the secret key information x from the secret key information storage unit 502, the secret key information x_1 and x_2 divided from the secret key information division unit 504, the public key information P_D1 of the primary computer entrusted device 600, It receives the public key information P_D2 of the secondary calculated entrusting device 700, and generates entrusting parameter information T_1 and entrusting parameter information T_2.

The entrustment parameter generation unit 505 uses the secret key information x from the secret key information storage unit 502, the secret key information x_1 divided from the secret key information division unit 504, and the public key information P_D1 of the primary computer entrusted device 600. In accordance with the equation (2-1), the commission parameter information T_1 is generated, and the generated commission parameter information T_1 is transmitted to the primary calculated commission device 600.

Further, the entrustment parameter generation unit 505 receives the secret key information x from the secret key information storage unit 502, the secret key information x_2 divided from the secret key information division unit 504, and the public key information P_D2 of the secondary calculated entrustment device 700. Using this, the commission parameter information T_2 is generated according to the equation (2-2), and the generated commission parameter information T_2 is transmitted to the secondary calculated commission device 700.

  However, F (X) is the conversion function described in the first embodiment. Note that, as in the first embodiment, the key information K_XD1 and K_XD2 may be stored in the secret key information storage unit 502 in advance.

  The partial first ciphertext parameter information decryption unit 506 receives the first partial first ciphertext parameter information encryption result enc (K_XD1, C_11) received from the primary computation entrusted device 600 via the transmission / reception unit 501. 1 partial first ciphertext parameter information C_11.

  Here, the first partial first ciphertext parameter information encryption result enc (K_XD1, C_11) is the shared key K_XD1 that the primary computable device 600 shares with the first communication device 500 in advance. The partial first ciphertext parameter information decryption unit 506 performs decryption using the secret key K_XD1 stored in the secret key information storage unit 502.

  Also, the partial first ciphertext parameter information decryption unit 506 receives the second partial first ciphertext parameter information encryption result enc (K_XD2, C_12) received from the secondary computation entrusted device 700 via the transmission / reception unit 501. The second partial first ciphertext parameter information C_12 is decrypted using the secret key K_XD2.

  The partial first ciphertext parameter information decryption unit 506 gives the decrypted partial first ciphertext parameter information C_11 and C_12 to the premaster secret information synthesis unit 507.

The premaster secret information synthesis unit 507 includes the partial first ciphertext parameter information C_11 and C_12 from the partial first ciphertext parameter information decryption unit 506, and the second ciphertext parameter information C_2 received from the primary computable device 600. And the premaster secret information K_PM with the second communication device 800 is obtained by the calculation shown in the following equation (2-3).

However, e is a unit element in the group G. When the encryption algorithm is elliptic ElGamal encryption, K_PM calculated by the above formula is a rational point on the elliptic curve, and it is necessary to convert this into premaster secret information as original bit string information. For example, when the Ellipse curve cryptosystem of Menezes-Vanstone is used, pre-master secret information K_PM1 obtained by receiving ciphertext parameter information C_21, C_22 and a prime number p, which will be described later, and divided by the following equation (2-4) And K_PM2 are decoded, and K_PM is decoded by combining the bit strings.

  However, γ_1 and γ_2 are the first component and the second component of the rational point vector calculated by C_11 and C_12, respectively. The operator || means a combination of bit strings.

(C-1-2) Internal Configuration of Primary Computed Consignment Device 600 FIG. 8 is an internal configuration diagram showing the internal configuration of the primary computed consignment device 600 in the second embodiment. In FIG. 8, the entrusted device 600 includes a transmission / reception unit 601, a secret key information storage unit 602, an entrustment parameter storage unit 603, a temporary storage unit 604, a partial decryption calculation unit 605, a message digest information generation unit 606, and partial signature parameter generation. A unit 607 and a public key certificate acquisition unit 608.

  The transmission / reception unit 601, the secret key information storage unit 602, and the entrustment parameter storage unit 603 have the same functions as the transmission / reception unit 201, the secret key information storage unit 202, and the entrustment parameter storage unit 203 in the first embodiment, respectively. Therefore, detailed description in the second embodiment is omitted.

  In addition, the message digest information generation unit 606, the partial signature parameter generation unit 607, and the public key certificate acquisition unit 608 are respectively the message digest information generation unit 207, the partial signature parameter generation unit 208, and the public key certificate in the first embodiment. Since it has the same function as the acquisition unit 209, detailed description in the second embodiment is omitted.

  The temporary storage unit 604 temporarily stores the second ciphertext parameter information C_2 received from the second communication device 800 via the transmission / reception unit 601. When transmitting the second ciphertext parameter information C_2 to the first communication device 500, the second ciphertext parameter information C_2 is read from the temporary storage unit 604.

The partial decryption calculation unit 605 receives the commission parameter information T_1 read from the commission parameter storage unit 603, the secret key information d_1 read from the secret key information storage unit 602, and the first communication read from the public key certificate acquisition unit 608. Based on the public key information P_X of the device 500 and the first ciphertext parameter information C_1 received by the transmission / reception unit 601, the first partial first ciphertext parameter information C_11 is obtained by Expression (2-4) It is. In addition, the partial decryption calculation unit 605 encrypts the obtained first partial first ciphertext parameter information C_11 with the pre-shared key K_XD1 with the first communication device 500 and transmits the encrypted information to the first communication device 500.

(C-1-3) Internal Configuration of Secondary Calculated Consignment Device 700 FIG. 9 is an internal configuration diagram showing an internal configuration of the secondary calculated consignment device 700 of the second embodiment. In FIG. 9, the secondary computing entrustment device 700 includes a transmission / reception unit 701, a secret key information storage unit 702, a entrustment parameter storage unit 703, a partial decryption calculation unit 704, a partial signature parameter generation unit 705, and a public key certificate acquisition unit 706. Have.

  In FIG. 9, what includes at least a secret key information storage unit 702, a delegation parameter storage unit 703, a partial decryption calculation unit 704, and a public key certificate acquisition unit 706 is also referred to as a key sharing computed delegation device 41.

  In FIG. 9, at least one including the secret key information storage unit 702 and the partial signature parameter generation unit 705 is also referred to as a digital signature generation calculation entrusted device 42.

  The transmission / reception unit 701, the secret key information storage unit 702, and the entrustment parameter storage unit 703 have the same functions as the transmission / reception unit 301, the secret key information storage unit 302, and the entrustment parameter storage unit 303 in the first embodiment, respectively. Detailed description in the second embodiment will be omitted.

  The partial signature parameter generation unit 705 and the public key certificate acquisition unit 706 are the same as the partial signature parameter generation unit 305 and the public key certificate acquisition unit 306 in the first embodiment, respectively. Detailed description in the embodiment is omitted.

The partial decryption calculation unit 704 includes the ciphertext parameter information C_1 received from the primary calculated entrusted device 600, the entrusted parameter information T_2 from the entrusted parameter information storage unit 703, the secret key information d_2 from the secret key information storage unit 702, and the public. The public key information P_X of the first communication device is read from the key certificate acquisition unit 706, and the second partial first ciphertext parameter information C_12 is obtained by the following equation (2-6). The partial decryption calculation unit 704 encrypts the second partial cipher first parameter information C_12 with the pre-shared key K_XD2 with the first communication device 500 and transmits the encrypted first parameter information C_12 to the first communication device 500.

(C-1-4) Internal Configuration of Second Communication Device 400 FIG. 10 is an internal configuration diagram showing the internal configuration of the second communication device 800 of the second embodiment. In FIG. 10, the second communication apparatus 800 includes a transmission / reception unit 801, a premaster secret determination unit 802, a premaster secret delivery unit 803, a message digest information generation unit 804, a signature verification unit 805, and a public key certificate acquisition unit 806. Have.

  Since the transmission / reception unit 801 is the same as the transmission / reception unit 401 of the second communication apparatus 400 in the first embodiment, detailed description in the second embodiment is omitted.

  In addition, the message digest information generation unit 804, the signature verification unit 805, and the public key certificate acquisition unit 806 are respectively the message digest information generation unit 404, the signature verification unit 405, and the public key certificate acquisition unit 406 in the first embodiment. Since they are the same, detailed description in the second embodiment is omitted.

  The premaster secret determination unit 802 generates a bit string having a predetermined bit length as the premaster secret information and supplies the bit string to the premaster secret delivery unit 803.

The premaster secret delivery unit 803 converts the premaster secret information bit string K_PM from the premaster secret determination unit 802 into an integer (provided that 0 <K_PM ≦ n−1), and the public key certificate acquisition unit 806. , The public key information P_X of the first communication device 500 is read out, the random number θ is randomly determined in the domain 2 ≦ θ ≦ n−1, and the ciphertexts C_1 and C_2 represented by the following equations (2-7) Is transmitted to the primary calculation entrusting device 600.

However, when the encryption algorithm is elliptic ElGamal encryption, it cannot be applied as it is, so it is necessary to convert K_PM into a rational point on the elliptic curve or perform another calculation. For example, as an example of the latter method, there is a Menezes-Vantone elliptic curve cryptosystem. This is because the bit string K_PM is divided into K_PM1 and K_PM2, respectively, and when the first component of the vector calculated by P_X ^ θ is q_1 and the second component is q_2, for an appropriate prime number p of 3 or more, A method of calculating C_21 and C_22 represented by the following equation (2-8) and transmitting them together with C_1 and the prime number p to the primary calculated entrusted device 600 can be applied.

  However, γ_1 and γ_2 are the first component and the second component of the rational point vector calculated by P_X ^ θ, respectively. K_PM1 and K_PM2 are bit strings obtained by dividing the premaster secret information bit string K_PM into two by an arbitrary method.

(C-2) Operation of the Second Embodiment FIG. 11 is a sequence diagram showing the operation of the key sharing / authentication process of the second embodiment.

(C-2-1) Preparation Step (S200) The first communication device 500 generates consignment parameter information T_1 to be given to the primary calculation consignment device 600 and consignment parameter information T_2 to be given to the secondary calculation consignment device 700. .

  Then, the first communication device 500 transmits the commission parameter information T_1 to the primary calculation consignment device 600 and transmits the commission parameter information T_2 to the secondary calculation consignment device 700.

  Here, since the generation method of the commission parameter information T_1 and T_2 is different from that of the first embodiment, an example of the creation method of the commission parameter information of the second embodiment will be described below.

  First, in the first communication device 500, the public key certificate acquisition unit 503 receives the public key certificate CERT_D 1 of the primary computed entrusted device 600 and the public key certificate of the secondary computed entrusted device 700 via the transmission / reception unit 501. The certificate CERTD2 is acquired, and the public key information P_D1 of the primary calculation entrusting device 600 and the public key information P_D2 of the secondary calculation entrusting device 700 are acquired.

  Next, the entrustment parameter generation unit 505 receives from the public key information acquisition unit 503 the public key information P_D1 of the primary calculated entrusted device and the public key information P_D2 of the secondary calculated entrusted device.

  Then, the delegation parameter generation unit 505 uses the public key information P_D1 and P_D2 and the secret key information X read from the secret key information storage unit 102, respectively, according to equations (2-1) and (2-2). The commission parameter information T_1 and T_2 are obtained.

  The primary calculated entrusting device 700 stores the entrusting parameter information T_1 received from the first communication device 500 in the entrusting parameter information storage unit 703. Similarly, the secondary calculated consignment device 800 also stores the consignment parameter information T_2 received from the first communication device 500 in the consignment parameter information storage unit 803.

(C-2-2) Key Sharing / Authentication Step (S201) In the second communication apparatus 800, the premaster secret determination unit 801 determines the premaster secret information K_PM, and uses the premaster secret information K_PM as the premaster secret. This is given to the delivery unit 803. The premaster secret delivery unit 803 randomly determines the integer θ. In addition, the premaster secret delivery unit 803 encrypts the premaster secret information K_PM with Expression (2-6). Then, the pre-master secret delivery unit 803 transmits the ciphertext (C_1, C_2) to the primary calculation entrusted device 600. That is, the information including the first ciphertext parameter information C_1 and the second ciphertext parameter information C_2 is transmitted to the primary computer entrusted device 600.

  Upon receiving the ciphertext (C_1, C_2) from the second communication device 800, the primary computed entrusting device 600 transfers the first ciphertext parameter information C_1 to the secondary computed entrusting device 700. At this time, in the primary entrusted device 600, the first ciphertext parameter information C_1 is given to the partial decryption calculation unit 605, and the second ciphertext parameter information C_2 is given to the temporary storage unit 604 and stored.

  On the other hand, the secondary calculated consignment device 700 receives the first ciphertext parameter information C_1 generated by the second communication device 800 via the primary calculated consignment device 600.

  (S202) In the primary computable device 600, the partial decryption calculation unit 605 receives the first ciphertext parameter information C_1 received from the second communication device 800 and the first communication read from the public key certificate acquisition unit 608. Based on the public key P_X of the device 500, the entrusted parameter information T_1 read from the entrusted parameter information storage unit 603, and the secret key information d_1 read from the secret key information storage unit 602, the first is obtained by Expression (2-4). First partial ciphertext parameter information C_11 is obtained. The partial decryption calculation unit 605 encrypts the first partial first ciphertext parameter information C_11 with the pre-shared key information K_XD1 with the first communication device read from the secret key information storage unit 602. Then, the transmission / reception unit 601 transmits the encrypted enc (K_XD1, C_11) and the second ciphertext parameter information C_2 temporarily stored in the temporary storage unit 604 to the first communication device 500.

  (S203) In the secondary computation entrusted device 700, the partial decryption calculation unit 704 receives the received first ciphertext parameter information C_1 and the public key P_X of the first communication device 500 read from the public key certificate acquisition unit 706. The consignment parameter information T_2 read from the consignment parameter information storage unit 703, the secret key information d_2 read out from the secret key information storage unit 702, and the second partial first ciphertext parameter information C_12 according to the equation (2-5) Ask. The partial decryption calculation unit 704 encrypts the second partial first ciphertext parameter information C_12 with the pre-shared key information K_XD2 with the first communication device read from the secret key information storage unit 702. Then, the transmitting / receiving unit 701 transmits the encrypted enc (K_XD2, C_12) to the first communication device 500.

  (S204) In the first communication device 500, the partial first ciphertext parameter information decryption unit 506 uses the partial cipher part first parameter information encryption result enc (K_XD1, C_11) and enc (K_XD2, C_12) as a secret key. Using the private key information K_XD1 and K_XD2 stored in the information storage unit 502, the first partial first ciphertext parameter information C_11 and the second partial first ciphertext parameter information C_12 are decrypted, and the first part First ciphertext parameter information C_11 and first partial second ciphertext parameter information C_12 are obtained. The partial first ciphertext parameter information decryption unit 506 gives the partial first ciphertext parameter information C_11 and C_12 to the premaster secret information synthesis unit 507. The premaster secret information combining unit 507 performs pre-expression based on the expression (2-3) based on the partial first ciphertext parameter information C11 and C_12 and the second ciphertext parameter information C_2 received from the primary computed entrusted device 600. The master secret information K_PM is obtained, and the premaster secret information K_PM is stored in the secret key information storage unit 502.

  (S205), (S206), (S207), and (S208) are the same as steps (S106), (S107), (S108), and (S109), respectively, in the description of the mobile phone according to the first embodiment. Omitted.

(C-3) Effects of Second Embodiment As described above, the second embodiment has the following effects.

  The secret key information used for the calculation of the partial ciphertext parameter information C_11 and C_12 in the primary computed entrusting apparatus 600 and the secondary computed entrusting apparatus 700 is only the secret keys d_1 and d_2, respectively.

  The shared key K is obtained when the first communication device 500 receives and synthesizes the results calculated by the primary computing entrusting device 600 and the secondary computing entrusting device 700, so that any computing entrusting device can share the shared key K. I don't know. Even if this for one or the other of the calculation commissioned device is or is taken over, if the other of the calculation entrusted device successfully, the attacker can not be synthesized a shared key K.

  The first communication device 500 calculates the key sharing protocol between the first communication device 500 and the second communication device 800 by the delivery of the premaster secret and the authentication key sharing protocol using the authentication by the digital signature. It can be executed while entrusting some of the calculations to the entrusting devices 600 and 700.

  The amount of calculation required on the first communication device 500 side is a total of two times of decryption of shared key calculation and multiplication on a finite field, or two times of addition of rational points on an elliptic curve.

  In addition, the information to be transmitted from the secondary computing entrustment device 700 to the first communication device 500 is temporarily routed through the primary computing entrustment device 600, so that the primary computation entrusting device 600 is encrypted. 1 ciphertext parameter information enc (K_XD1, C_11), enc (K_XD2, C_12) and second ciphertext parameter information C_2 partial signature parameter information enc (K_XD1, κ_1), enc (K_XD2, κ_2), ρ_1, ρ_2, and message The digest h is transmitted to the first communication device 100 in a lump, and the first communication device 100 transmits the signature parameter information p and α to the primary calculated consignment device 600, and the primary calculated consignment device 600 receives the second By relaying to the communication device 800, the first communication device 500 and the primer The number of communications between the recalculated entrusting devices 600 can be made one round trip.

  As described above, (A) a system that satisfies the five conditions described in the basic concept of the present invention can be realized.

(D) Other Embodiments (D-1) In the first and second embodiments described above, the case where there is one secondary calculation consignment device is illustrated, but there may be a plurality of secondary calculation consignment devices. .

(D-2) In the first and second embodiments described above, the case where the second communication device generates and sends the premaster secret information is illustrated. However, the first communication device transmits the premaster secret information. You may make it transmit.

  In this case, the first communication device creates pre-master secret information, encrypts the pre-master secret information with the pre-shared health K_XD1, and transmits the pre-master secret information to the primary computer entrusted device. This can be realized by encrypting the secret information with the public key of the second communication device and sending it to the second communication device. As another method, for example, a method in which the primary entrusted device creates a premaster secret, encrypts the created premaster secret with the public key of the second communication device, and transmits it to the second communication device is applied. it can.

(D-3) In the first and second embodiments described above, the case where the second communication device authenticates the digital signature of the first communication device is exemplified. However, the first communication device and the second communication are described. The devices may perform mutual authentication.

  When the authentication is mutual authentication, the primary computer entrusted device may perform the verification of the digital signature of the second communication device instead of the first communication device.

(D-4) In the second embodiment described above, ElGamal encryption and elliptic curve ElGamal encryption are assumed as encryption algorithms. However, the system defined in the second embodiment is also used when the encryption algorithm is an RSA encryption algorithm. Can be applied.

  Specifically, in the case of RSA cryptography, the composite number L, n = φ (L), where φ (•) is an Euler function, the first key is the first key for the secret key x of the first communication device. When the public key of the communication device is y, it is an integer that satisfies xy≡1 (mod n). Therefore, the premaster secret delivery unit 803 in the second communication device calculates C = K_PM ^ χ as the ciphertext C.

  The primary computed entrusting apparatus 600 receives the ciphertext C and sends it to the partial decryption calculation unit 605, and also transfers the ciphertext C to the secondary computed entrusting apparatus 700. In this case, the temporary storage unit of the primary calculated consignment device 600 is not necessary. The partial decryption calculation unit 605 of the primary calculated consignment device 600 and the partial decryption calculation unit 704 of the secondary calculation consignment device 700 are subjected to the same calculation processing as in the second embodiment, and the respective outputs C_1 ′ and C_2 ′. Is encrypted with each pre-shared key and transmitted to the first communication device.

  In the first communication apparatus, the partial premaster secret decoding unit 508 decodes C_1 ′ and C_2 ′ and outputs them to the premaster secret information synthesis unit 507, and the premaster secret information synthesis unit 507 outputs K_PM = C_1 ′ · C_2 ′. By obtaining pre-master secret information K_PM as (mod n), it is possible to cope with the RSA encryption algorithm.

(D-5) The commission parameter information (T_1 and T_2) in the first embodiment may be generated by the method described in the second embodiment.

  In this case, the delegation parameter information decrypted with the shared key between the first communication device and the computing entrustment device is X_j, and this is P_V ^ rx_j with respect to the public key information P_V of the second communication device. This may be sent to the first communication device, and ΠP_V ^ x_j = P_V ^ rx may be synthesized by the first communication device.

(D-6) Regarding the signature generation process, in the first and second embodiments described above, the primary calculated consignment device creates κ_1 and ρ_1 and transmits them to the first communication device. The case where κ_2 and ρ_2 are created and transmitted to the first communication device is illustrated.

  However, ρ_2 is transmitted to the first communication device without being encrypted. Therefore, the secondary calculated consignment device transmits enc (K_XD2, κ_2) and ρ_2 to the primary calculated consignment device, and the primary calculated consignment device combines ρ = ρ_1 · ρ_2 and combines the combined ρ with the first You may make it transmit to a communication apparatus.

1 ... System,
100 and 500: first communication device,
101 and 501, ... transmission / reception unit, 102 and 502 ... secret key information storage unit,
103 and 503 ... public key certificate acquisition unit,
104 and 504 ... secret key information dividing unit,
105 and 505 ... consignment parameter generation unit, 106 ... partial shared key decryption unit,
107 ... Shared key composition unit, 108 and 508 ... Partial signature parameter decryption unit,
109 and 509... Signature parameter synthesis unit,
110 and 510... Signature generation unit,
506 ... Partial first ciphertext parameter information decryption unit,
507 ... Premaster secret information synthesis unit,
200 and 600 ... primary calculation entrusted device,
201 and 601, transmission / reception unit, 202 and 602, secret key information storage unit,
203 and 603 ... consignment parameter storage unit,
204 ... Key sharing parameter generation unit, 205 ... Partial shared key calculation unit,
206: Key sharing parameter delivery management unit,
207 and 606 ... message digest information generation unit,
208 and 607... Partial signature parameter generation unit,
209 ... Public key certificate acquisition unit, 604 ... Temporary storage unit,
605 ... Partial decoding calculation unit,
300 and 700 ... secondary calculation commissioned device,
301 and 701 ... transmission / reception unit, 302 and 702 ... secret key information storage unit,
303 and 703 ... consignment parameter storage unit, 304 ... partial shared key calculation unit,
305 and 705... Partial signature parameter generation unit,
306 and 706 ... public key certificate acquisition unit, 704 ... partial decryption calculation unit,
400 and 800 ... second communication device,
401 and 801 ... transmission / reception unit, 402 and 802 ... secret key information storage unit,
403 ... Shared key calculation unit,
404 and 804 ... message digest information generation unit,
405 and 805... Signature verification unit,
406 and 806... Public key certificate acquisition unit,
803: Premaster secret delivery unit.

Claims (30)

First storage means for storing secret key information;
Second storage means for storing first public key information;
Third storage means for storing N pieces of public key information from the second to the (N + 1) th,
Integer dividing means for dividing the secret key information of the first storage means into N partial secret key information;
A unit of a cyclic group is combined with a predetermined cyclic group element by an operator defined in the cyclic group by a number given by a predetermined integer, and the secret of the first storage means First calculation means for performing calculation processing based on the key information and each public key information read out one by one from the N pieces of public key information in the third storage means;
Key conversion means for converting the calculation result of the first calculation means into N pieces of common key information from 1 to N;
A unit of a cyclic group is combined with elements of a predetermined cyclic group by an operator defined in the cyclic group by a number given by a predetermined integer, and the N partial secret key information and Second computing means for obtaining N partial shared key calculation parameters from first to Nth based on the first public key information of the second storage means;
The j-th common key information of the N pieces of common key information is used as key information, and the bit string representation of the corresponding j-th partial shared key calculation parameter is encrypted as a bit string to be encrypted, and the j-th common key information is encrypted. And enciphering means for generating the first to Nth entrusted parameter information. The entrusted parameter information generating apparatus characterized by comprising: First storage means for storing secret key information;
Second storage means for storing first public key information;
Third storage means for storing N pieces of public key information from the second to the (N + 1) th,
Integer dividing means for dividing the secret key information of the first storage means into N partial secret key information;
A unit of a cyclic group is combined with a predetermined cyclic group element by an operator defined in the cyclic group by a number given by a predetermined integer, and the secret of the first storage means First calculation means for performing calculation processing based on the key information and each public key information read out one by one from the N pieces of public key information in the third storage means;
Key conversion means for converting the calculation result of the first calculation means into N pieces of common key information from 1 to N;
The j-th common key information of the N pieces of common key information is used as key information, and the bit string representation of the corresponding j-th partial secret key information is encrypted as a bit string to be encrypted, and the j-th common key information is encrypted. An entrustment parameter information generating apparatus, comprising: enciphering means for generating entrustment parameter information and generating first to Nth entrustment parameter information. Transmitting and receiving means;
A communication apparatus comprising: commission parameter information generation means corresponding to the commission parameter information generation apparatus according to claim 1. Shared key information storage means for storing pre-shared key information provided in advance;
Decryption means for inputting N integers encrypted with the pre-shared key information, decrypting the input N integers with the pre-shared key information, and obtaining N pieces of partial information;
A shared key synthesizing apparatus comprising: a synthesizing unit that obtains predetermined secret information by combining N pieces of partial information decoded by the decoding unit by a predetermined operation.   5. The shared key composition apparatus according to claim 4, wherein each integer is partial shared key information, and the predetermined secret information is shared key information.   5. The shared key composition apparatus according to claim 4, wherein each integer is partial premaster secret information, and the predetermined secret information is premaster secret information. Instead of inputting N pieces of partial shared key information, the combining means receives N partial first ciphertext parameter information and second ciphertext parameter information, and the combining means the first ciphertext parameter information calculated by combining in operation defined the first ciphertext parameter information Tour times groups, as well as calculating the inverse of said first ciphertext parameter information, and the inverse element, the 6. The shared key composition apparatus according to claim 5, wherein the shared key information is obtained by combining the second ciphertext parameter information with an operation defined in a cyclic group. Storage means for storing pre-shared key information and secret key information set in advance;
Decryption means for decrypting information encrypted with the pre-shared key information;
N partial digital signature parameter information is summed in a finite field consisting of a set (0, 1,..., N−1) with respect to the order n of a predetermined cyclic group, and the finite field of the sum is obtained. The inverse element in the multiplicative group is obtained, and the product obtained by replacing the arbitrary hash value with the element of the finite field plus the product of the secret key information and the digital signature first parameter information is multiplied by the inverse element. Calculating means for obtaining the second parameter information of the digital signature obtained by
The decryption means receives N pieces of encrypted partial digital signature parameter information and decrypts them with the pre-shared key information;
The arithmetic means receives the N partial digital signature parameter information decrypted by the decryption means, receives digital signature first parameter information from a predetermined interface, and stores the N partial digital signature parameter information as a predetermined Combined by calculation to calculate digital signature parameter information, and based on the digital signature parameter information, the digital signature first parameter information, a predetermined hash value, and the secret key information, the digital signature second parameter information A signature information synthesizing apparatus characterized in that The arithmetic means receives N partial digital signature first parameter information from a predetermined interface, and combines the N partial digital signature first parameter information by an operation defined in the cyclic group to obtain a digital signature. 9. The signature information synthesizing apparatus according to claim 8, wherein the first parameter information is obtained. Storage means for storing pre-shared key information set in advance;
Decryption means for decrypting information encrypted with the pre-shared key information;
Computing means for calculating digital signature information by combining N pieces of partial digital signature information by computation defined in a predetermined cyclic group ;
The decrypting means decrypts N partial digital signature information encrypted with the pre-shared key information using the pre-shared key information stored in the storage means;
The signature information synthesizing apparatus, wherein the arithmetic means obtains digital signature information by combining the N pieces of partial digital signature information. Transmitting and receiving means;
A shared key synthesizing unit corresponding to the shared key synthesizing apparatus according to claim 4;
Digital signature synthesizing means corresponding to the signature information synthesizing device according to any one of claims 8 to 10,
The transmission / reception means includes
Receiving either encrypted N partial shared key information, encrypted N partial first ciphertext parameter information, or encrypted N partial premaster secret information; When the second ciphertext parameter information is received as well as being provided to the decrypting means of the shared key synthesizing means, it is provided to the synthesizing means of the shared key synthesizing means, and the shared key synthesizing means is provided with either the shared key information Ask for master secret information,
The encrypted N partial digital signature parameter information or the encrypted N partial digital signature information is received and given to the decryption means of the digital signature synthesis means, and the digital signature first parameter information Or when the N partial digital signature first parameter information or the hash value is received, it is given to the computing means of the digital signature synthesizing means, and the digital signature synthesizing means is asked for the digital signature information, and the digital signature information is A communication apparatus that transmits to a predetermined transmission destination. Consignment parameter information generation means corresponding to the consignment parameter information generation device according to claim 1 or 2,
12. The communication apparatus according to claim 11, wherein the transmission / reception means transmits at least N pieces of commission parameter information generated by the commission parameter information generation means to a predetermined transmission destination. First storage means for storing secret key information;
Second storage means for storing first public key information;
Third storage means for storing consignment parameter information;
The unit of the cyclic group is obtained by combining the elements of the predetermined cyclic group by the operator defined in the cyclic group by the number given by the predetermined integer, and the first storage means First calculation means for performing a predetermined calculation process as an element of the predetermined cyclic group based on the secret key information and the first public key information of the second storage means;
Key conversion means for converting the calculation result of the first calculation means into common key information;
Arbitrary bit string information is regarded as ciphertext and decrypted with a predetermined key information bit string, the common key information is used as a key information bit string, and the consigned parameter information stored in the third storage means is the bit string information. Decoding means for performing a decoding process as:
Information input means for inputting random number information from a predetermined interface;
A unit obtained from a cyclic group is obtained by combining a predetermined cyclic group element by an operator defined in the cyclic group by a number given by a predetermined integer, and is input from the information input means. A second computing means for combining the information input from the first computing means with a predetermined computation using the information input from the first computing means as an element of a predetermined cyclic group;
Any bit string information is encrypted with a predetermined key information bit string, and the common key information of the key conversion means is used as a key information bit string, and the information from the second arithmetic means is encrypted as bit string information. And a key sharing computation entrusting device characterized by comprising: The decoding result by the decoding means is set as first parameter information,
The information input to the information input means is the second parameter information,
14. The key sharing computation entrustment according to claim 13, wherein the second calculation means performs a predetermined calculation based on the first parameter information and the second parameter information. apparatus. The first parameter information is an integer,
The second parameter information is ciphertext parameter information,
The second calculation means inputs the first parameter as a predetermined integer, and combines the ciphertext parameter information, which is the second parameter information, with a predetermined calculation as an element of a predetermined cyclic group. The key sharing computed entrusting apparatus according to claim 14 , wherein the encryption means is provided with the encryption means. The first parameter information is a predetermined integer;
The second parameter information is second public key information and random number information,
The second calculation means inputs a product of a predetermined integer that is the first parameter information and the random number information as a predetermined integer, and uses the second public key information as an element of a predetermined cyclic group. 15. The key sharing computed entrusting apparatus according to claim 14 , wherein the operation result combined by a predetermined operation is given to the encryption means. The first parameter information is a cyclic group element,
The second parameter information is random number information,
The second calculation means uses the first parameter information as a source of a predetermined cyclic group, the random number information that is the second parameter information as a predetermined integer, and combines the calculation result with a predetermined calculation as the cipher. The key sharing computed entrusting apparatus according to claim 14 , wherein the key sharing computed entrusting apparatus according to claim 14 is provided. First storage means for storing secret key information;
Second storage means for storing first public key information;
Third storage means for storing consignment parameter information;
A unit obtained from a cyclic group is obtained by combining a predetermined cyclic group element with an operator defined in the cyclic group by a number given by a predetermined integer. A first arithmetic unit that reads the first public key information from the second storage unit and performs a predetermined operation as an element of a predetermined cyclic group;
Key conversion means for converting the information output by the first calculation means into common key information;
Arbitrary bit string information is regarded as ciphertext and decrypted with a predetermined key information bit string, the common key information is received, the common key information is used as a key information bit string, and stored in the third storage means Decryption means for performing decryption processing using the commission parameter information as bit string information;
Information input means for inputting ciphertext information from a predetermined interface;
The result obtained by calculating the power of the first integer by the number given by the second integer is output. The integer input from the information input means is set as the first integer, and input from the decoding means. Second computing means for performing power multiplication on the obtained information as the second integer;
Encrypting means for encrypting arbitrary bit string information with a predetermined key information bit string, and encrypting information inputted from the second computing means with common key information inputted from the key converting means And a key sharing computation entrusting device. First storage means for storing secret key information;
Second storage means for storing first public key information;
A unit of the cyclic group is combined with a predetermined element of the cyclic group by an operator defined in the cyclic group by a number given by a predetermined integer, and the secret of the first storage means First calculation means for performing a predetermined calculation with the key information as a predetermined integer and the first public key information of the second storage means as an element of a predetermined cyclic group;
Key conversion means for converting the calculation result of the first calculation means into common key information;
Random number information generating means for generating random number information;
The unit of the cyclic group is combined with a predetermined generator of the cyclic group by an operator defined in the cyclic group by the number given by a predetermined integer, and the above-mentioned random number information generating means A second calculation means for performing a predetermined calculation using the random number information as a predetermined integer;
An arbitrary bit string information is encrypted with a predetermined key information bit string, and comprises encryption means for encrypting information from the random number information generating means with common key information input from the key converting means. A signature information generation computation entrusted device characterized by the above.   The said 2nd calculating means couple | bonds the information which the said 2 or more said 1st calculating means output further with the calculation defined to the predetermined | prescribed cyclic group, It is characterized by the above-mentioned. Signature information generation calculation entrusted device described. First storage means for storing secret key information;
Second storage means for storing first public key information;
Third storage means for storing consignment parameter information;
A unit of a cyclic group is combined with a predetermined cyclic group element by an operator defined in the group by a number given by a predetermined integer, and the secret key of the first storage means First calculation means for performing a predetermined calculation using information as a predetermined integer and the first public key information of the second storage means as an element of a predetermined cyclic group;
Key conversion means for converting the calculation result of the first calculation means into common key information;
Arbitrary bit string information is regarded as ciphertext and decrypted with a predetermined key information bit string, the common key information is used as a key information bit string, and the consignment parameter information in the third storage means is decrypted as bit string information. Decryption means;
Information input means for inputting signature target information from a predetermined interface;
The power of the first integer is calculated by the number given by the second integer. The information from the decoding means is the second integer, and the information from the information input means is the above-mentioned information. Second computing means for obtaining a result of power calculation as the first integer;
Encrypting arbitrary bit string information with a predetermined key information bit string, comprising: encryption means for encrypting information from the second calculation means with the common key information of the key conversion means; Signature information generation device to be entrusted to be calculated. Transmitting and receiving means;
A key sharing calculation entrusting unit corresponding to the key sharing calculation entrusting device according to any one of claims 13 to 18,
A signature information generation / computation entrusting means corresponding to the signature information generation / computation entrusting device according to any one of claims 19 to 21;
The transmission / reception means includes
Random number information, ciphertext parameter information, or ciphertext information is received and given to the key sharing computation entrusting means,
Output information of the encryption means of the key sharing calculation entrusting means and the encryption means of the signature information generation calculated entrusting means,
Or, the output information of the encryption means of the key sharing calculation entrustment means, the encryption means of the signature information generation calculation entrustment means and the second calculation means of the signature information generation calculation entrustment means,
A calculation entrusted device characterized by being transmitted to a predetermined communication device. Random number information delivery management means for delivering random number information;
The ciphertext information, or the first ciphertext parameter information and the second ciphertext parameter information are received, and the ciphertext information or the first ciphertext parameter information is delivered to another proxy device and the above Ciphertext information delivery management means for delivering the second ciphertext parameter information to the communication device acting as proxy,
Message digest information generating means for generating a message digest from a predetermined message;
A message entrusted apparatus comprising: message digest information delivery management means for transmitting information generated by the message digest information generating means to another proxy device or a proxy communication device. In a key sharing system in which a part of security processing between the first communication device and the second communication device is performed by the proxy device on behalf of the first communication device.
The first communication device is
Consignment parameter information generation means corresponding to the consignment parameter information generation apparatus according to claim 1 or 2,
A shared key synthesizing unit corresponding to the shared key synthesizing apparatus according to any one of claims 4 to 7,
The proxy device is
A first calculated consignment means corresponding to the calculated consignment device according to claim 23;
And N-1 second calculated consignment means corresponding to the calculated consignment device according to claim 22,
The first calculated consignment means and the respective second calculated consignment means obtain the consignment parameter information generated by the consignment parameter information generation means,
The first calculated consignment means generates random number information and transmits the random number information to the second calculated consignment means and the second communication device, and also generates first partial shared key information, and Sent to the shared key synthesis means,
The N-1 second calculated delegation means generates second to Nth partial shared key information based on the random number information from the first calculated delegation means, and the shared key Send it to the synthesis means,
The shared key synthesizing unit receives the first to Nth partial shared key information, calculates shared key information,
The key communication system, wherein the second communication device receives random number information from the first calculation entrusting means and calculates shared key information. In a key sharing system in which a part of security processing between the first communication device and the second communication device is performed by the proxy device on behalf of the first communication device.
The first communication device is
Consignment parameter information generation means corresponding to the consignment parameter information generation apparatus according to claim 1 or 2,
A shared key synthesizing unit corresponding to the shared key synthesizing apparatus according to any one of claims 4 to 7,
The proxy device is
A first calculated consignment means corresponding to the calculated consignment device according to claim 23;
And N-1 second calculated consignment means corresponding to the calculated consignment device according to claim 22,
The first calculated consignment means and the respective second calculated consignment means obtain the consignment parameter information generated by the consignment parameter information generation means,
The second communication device encrypts the premaster secret information and the premaster secret information, generates a ciphertext comprising the first ciphertext parameter information and the second ciphertext parameter information, and generates the first encrypted data. Send to the calculation entrustment means,
The first computed entrusting means transfers the first ciphertext parameter information to N-1 second computed entrusting means, and the first partial first cipher from the first ciphertext parameter information. Generating sentence parameter information, transmitting the first partial first ciphertext parameter information and the second ciphertext parameter information to the shared key synthesizing means,
The N-1 second calculated entrustment units respectively receive the first ciphertext parameter information and obtain the second to Nth partial first ciphertext parameter information from the first ciphertext parameter information. Generated and sent to the shared key synthesizing means,
The shared key synthesizing means receives the first to Nth partial first ciphertext parameter information and the second ciphertext parameter information and calculates premaster secret information. In a key sharing system in which a part of security processing between the first communication device and the second communication device is performed by the proxy device on behalf of the first communication device.
The first communication device is
Consignment parameter information generation means corresponding to the consignment parameter information generation apparatus according to claim 1 or 2,
A shared key synthesizing unit corresponding to the shared key synthesizing apparatus according to any one of claims 4 to 7,
The proxy device is
A first calculated consignment means corresponding to the calculated consignment device according to claim 23;
And N-1 second calculated consignment means corresponding to the calculated consignment device according to claim 22,
The first calculated consignment means and the respective second calculated consignment means obtain the consignment parameter information generated by the consignment parameter information generation means,
The second communication device encrypts the premaster secret information and the premaster secret information, generates ciphertext information, and transmits the ciphertext information to the first calculation entrusting means.
The first computed entrusting means transfers the ciphertext information to the N-1 second computed entrusting means and generates first partial ciphertext information from the ciphertext information. Sent to the shared key synthesis means,
Each of the N-1 second computation entrusting units receives the ciphertext information, generates second to Nth partial ciphertext information from the ciphertext information, and sends the ciphertext information to the shared key synthesizing unit. Send
The shared key composition means receives the first to Nth partial ciphertext information and calculates premaster secret information. In a signature information verification system in which a proxy device performs a part of security processing between a first communication device and a second communication device on behalf of the first communication device,
The first communication device is
Consignment parameter information generation means corresponding to the consignment parameter information generation apparatus according to claim 1 or 2,
Signature information synthesizing means corresponding to the signature information synthesizing device according to any one of claims 8 to 10,
The proxy device is
A first calculated consignment means corresponding to the calculated consignment device according to claim 23;
And N-1 second calculated consignment means corresponding to the calculated consignment device according to claim 22,
The first calculated consignment means and the respective second calculated consignment means obtain the consignment parameter information generated by the consignment parameter information generation means,
The first computed delegation means generates first partial digital signature parameter information and first partial digital signature first parameter information, encrypts the first partial digital signature parameter information, and Sent to the signature information synthesis means,
The N-1 second computation entrusting units generate second to Nth partial digital signature parameter information and second to Nth partial digital signature first parameter information, respectively, to generate partial digital signatures. The parameter information is encrypted and sent to the signature information combining means,
The signature information combining means receives the encrypted first to Nth partial digital signature parameter information and the first to Nth partial digital signature first parameter information, and receives the digital signature first parameter information. Calculating the digital signature second parameter information and transmitting it to the second communication device,
The second communication device receives and verifies the digital signature first parameter information and the digital signature second parameter information from the signature information combining means;
A signature information verification system characterized by the above. In a signature information verification system in which a proxy device performs a part of security processing between a first communication device and a second communication device on behalf of the first communication device,
The first communication device is
Consignment parameter information generation means corresponding to the consignment parameter information generation apparatus according to claim 1 or 2,
Signature information synthesizing means corresponding to the signature information synthesizing device according to any one of claims 8 to 10,
The proxy device is
A first calculated consignment means corresponding to the calculated consignment device according to claim 23;
And N-1 second calculated consignment means corresponding to the calculated consignment device according to claim 22,
The first calculated consignment means and the respective second calculated consignment means obtain the consignment parameter information generated by the consignment parameter information generation means,
The N-1 second computation entrusting units generate second to Nth partial digital signature parameter information and second to Nth partial digital signature first parameter information, respectively, to generate partial digital signatures. The parameter information is encrypted and sent to the first calculation entrusting means.
The first computed delegation means generates first partial digital signature parameter information and first partial digital signature first parameter information, and encrypts the first partial digital signature parameter information. , Receiving the second to Nth partial digital signature first parameter information and the encrypted second to Nth partial digital signature parameter information, and receiving the second to Nth partial digital signatures The signature first parameter information is combined by a predetermined operation to generate digital signature first parameter information, and the encrypted first to Nth partial digital signature parameter information and the digital signature first parameter information are , Send it to the signature information synthesis means,
The signature information combining means receives the encrypted first to Nth partial digital signature parameter information and the digital signature first parameter information, calculates the digital signature second parameter information, Transmitting the digital signature second parameter information together with the digital signature first parameter information to the second communication device;
The second communication device receives and verifies the digital signature first parameter information and the digital signature second parameter information from the signature information combining means;
A signature information verification system characterized by the above. In a signature information verification system in which a proxy device performs a part of security processing between a first communication device and a second communication device on behalf of the first communication device,
The first communication device is
Signature information synthesizing means corresponding to the signature information synthesizing device according to any one of claims 8 to 10,
The proxy device is
A first calculated consignment means corresponding to the calculated consignment device according to claim 23;
And N-1 second calculated consignment means corresponding to the calculated consignment device according to claim 22,
The first calculation entrusting means generates the first partial digital signature information and transmits it to the signature information synthesizing means,
The N-1 second calculated entrustment units respectively generate second to Nth partial digital signature information, and transmit the second to Nth partial digital signature information to the signature information synthesis unit,
The signature information synthesizing means receives the first to Nth partial digital signature information, calculates the digital signature information and transmits it to the second communication device;
The signature information verification system, wherein the second communication device receives and verifies the digital signature information from the first communication device.   A communication system comprising: the key sharing system according to any one of claims 23 to 26; and the signature information verification system according to any one of claims 27 to 29.

Images